LangGraph flaw chain exposes self-hosted AI agent to remote code execution

AI News


Ravi LakshmananJune 12, 2026Vulnerability/AI Security

Cybersecurity researchers have detailed three currently patched security flaws affecting LangGraph, including a critical vulnerability chain that could allow remote code execution.

LangGraph is an open-source framework created by LangChain for building complex, stateful, multi-agent artificial intelligence (AI) agent applications.

“Introducing SQL injection into LangGraph’s functionality could allow an attacker to exploit weaknesses in the way the system processes data and remotely execute code and gain complete control of the server,” Check Point said.

The list of identified vulnerabilities is as follows:

  • CVE-2025-67644 (CVSS Score: 7.3) – A SQL injection vulnerability exists in LangGraph’s SQLite checkpoint implementation that allows an attacker to manipulate SQL queries through metadata filter keys. (Affects versions of langgraph-checkpoint-sqlite prior to version 3.0.1)
  • CVE-2026-28277 (CVSS Score: 6.8) – LangGraph has an insecure msgpack deserialization vulnerability that could be used to trigger object reconstruction when a checkpoint is loaded by an attacker who can modify checkpoint data. (Affects Langgraph versions prior to 1.0.10)
  • CVE-2026-27022 (CVSS score: 6.5) – RediSearch query injection for @langchain/langgraph-checkpoint-redis that can be used to bypass access controls. (Affects @langchain/langgraph-checkpoint-redis versions prior to version 1.0.1)

“This vulnerability chain is exploitable in self-hosted deployments using SQLite or Redis checkpointing tools with user-controlled filter inputs,” Check Point said. “LangChain’s managed platform (LangSmith Deployment) is not affected.”

Security researcher Yarden Porat, who is credited with discovering and reporting all three flaws, said CVE-2025-67644 and CVE-2026-28277 can be chained together to achieve remote code execution.

Specifically, the attack chain relies on an application exposing a get_state_history() endpoint, which allows an attacker to retrieve history checkpoints based on metadata. The following steps are required –

  • An attacker prepares a msgpack payload containing instructions to execute arbitrary code.
  • An attacker sends a malicious filter parameter that exploits a SQL injection vulnerability to return bogus checkpoint rows in the results of a database query. This checkpoint column contains serialized data controlled by the attacker.
  • When the application processes the query results, it deserializes the malicious checkpoint blob.
  • An attacker can exploit an insecure deserialization vulnerability to execute their payload and execute remote code on the server.

LangGraph describes CVE-2026-28277 as a post-exploitation issue. Successful exploitation of this issue requires the ability to write attacker-controlled checkpoint data and translate it into code execution at the application runtime, and does not pose a risk to existing LangSmith-hosted deployments.

In such a scenario, escalation from write access to the checkpoint store to code execution “could expose runtime secrets or provide access to other systems that the runtime can reach,” LangGraph administrators said. “The threat model described requires an attacker to tamper with the checkpoint persistence layer used in the deployment. Typical hosted configurations are designed to prevent such access.”

Check Point said the findings demonstrate how classic vulnerability classes like SQL injection become more powerful when they appear within the framework of an AI agent that carries elevated access and trust, thereby opening the door to the disclosure of sensitive data.

We recommend that users apply the latest fixes, implement authentication for self-hosted LangGraph servers, avoid long-lived static secrets, enforce network segmentation, treat AI agents as privileged identities, and enforce the principle of least privilege (PoLP) to limit the agent’s access footprint.



Source link